Re: Google DNS intermittent ServFail for Disney subdomain

[David Conrad <drc () virtualized org>]

Damian,

Pragmatically speaking, I strongly suspect the increase in valid queries to authoritative servers even if all “large 
recursive resolvers” went away would be lost in noise of the overcapacity necessary to deal with even a lower-end DDoS 
attack.

Perhaps more interestingly, if said recursive resolvers on home routers would implement DNSSEC with RFC 8198 (and the 
owners of the authoritative zones would sign those zones), an entire class of DDoS attack would be mitigated. Further, 
if said recursive resolvers also implemented RFC 7706, latency to the root would be reduced and the risk of to the 
network behind that recursive resolver of a DDoS against the root of the DNS would be removed.

Regards,
-drc

On Oct 22, 2017, 12:00 AM -0700, Damian Menscher via NANOG <nanog () nanog org>, wrote:
> On Fri, Oct 20, 2017 at 6:29 AM, Filip Hruska <fhr () fhrnet eu> wrote:
>
> > Would be great if makers of home routers would implement full recursive
> > DNS resolvers
> > instead of just forwards in their gear.
>
>
> Ignoring the latency impact of your proposal, I wonder what would happen to
> the world's authoritative servers if all users hit them directly rather
> than going through large recursive resolvers that do caching? I'm guessing
> it wouldn't be pretty.
>
> Damian